Bug 1249 - unbound doesn't return FORMERR to bogus ECS
unbound doesn't return FORMERR to bogus ECS
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
unspecified
Other All
: P5 normal
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-07 00:38 CEST by JINMEI Tatuya
Modified: 2017-05-30 15:26 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description JINMEI Tatuya 2017-04-07 00:38:03 CEST
tested on svn trunk 4097.

unbound doesn't seem to be compliant to the following part of RFC7871:

Section 6
   o  A server receiving an ECS option that uses either too few or too
      many ADDRESS octets, or that has non-zero ADDRESS bits set beyond
      SOURCE PREFIX-LENGTH, SHOULD return FORMERR to reject the packet,
      as a signal to the software developer making the request to fix
      their implementation.

Instead unbound simply ignores the ECS and handles the query normally.

Same for an 'unknown' address family (neither IPv6 nor IPv4), which
could be considered to violate the sense of Section 7.2.1:

   A query with a wrongly formatted option (e.g., an unknown FAMILY)
   MUST be rejected and a FORMERR response MUST be returned to the
   sender, as described in [RFC6891], "Transport Considerations".
(although this section is about authoritative server).
Comment 1 Ralph Dolmans 2017-04-12 15:20:01 CEST
Hi Jinmei,

Unbound now returns FORMERR when the received query contains an ECS option that we are unable to parse.

Thanks,
-- Ralph